Apache has issued advisories today (July 13): https://www.openwall.com/lists/oss-security/2021/07/13/1 https://www.openwall.com/lists/oss-security/2021/07/13/2 https://www.openwall.com/lists/oss-security/2021/07/13/3 https://www.openwall.com/lists/oss-security/2021/07/13/4 See also here with the CVEs listed: https://commons.apache.org/proper/commons-compress/security-reports.html The issues are fixed upstream in 1.21. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 1.21Whiteboard: (none) => MGA8TOO
openSUSE has issued an advisory for this today (August 5): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XVOH7P2WI6SSS2OORQJBS45T5SKKO7BV/
Version: Cauldron => 8CC: (none) => mageiaWhiteboard: MGA8TOO => (none)
apache-commons-compress-1.21-1.mga9 uploaded for Cauldron by Nicolas.
updated in mga8: src: - osgi-core-8.0.0-1.mga8 - apache-commons-compress-1.21-1.mga8
Assignee: java => qa-bugsStatus comment: Fixed upstream in 1.21 => (none)
osgi-core-8.0.0-1.mga8 osgi-core-javadoc-8.0.0-1.mga8 apache-commons-compress-1.21-1.mga8 apache-commons-compress-javadoc-1.21-1.mga8
MGA8-64 Plasma on Lenovo B50 in Dutch No installation issues. Trying to follow Len's example from bug 22787 Comment 12. Created a folder popapachecompressin my Documenten, copied the testfilesinto it and a zipfile of mine. Created in that folder another folder to contain the extracted files. $ cd Documenten//pocapachecompress/ $ javac -cp .:"/usr/share/java/apache-commons-compress.jar" Zipextract.java [tester8@mach5 pocapachecompress]$ ls extraction/ Merksem.zip Zipextract.class Zipextract.java Zipup.java then copied command, but got $ java -cp .:"/usr/share/java/apache-commons-compress.jar" Zipextract Error: format is Zipextract <zip file> <extract location> So tried $ java -cp .:"/usr/share/java/apache-commons-compress.jar" Zipextract Merksem.zip extraction/ That gave no error, but when I look at what had been extracted $ cd extraction/ [tester8@mach5 extraction]$ ls 'Merksem Logo.ai' But the zip file contains a folder "_MACOXS" and three image files Merksem, one.ai as shown, one eps and one png. I don't know what to think of this result.
CC: (none) => herman.viaene
252 javac -cp .:"/usr/share/java/apache-commons-compress.jar" Zipup.java 253 java -cp .:"/usr/share/java/apache-commons-compress.jar" Zipup 254 journalctl > jrn.txt 255 ls -ltr 256 ll 257 java -cp .:"/usr/share/java/apache-commons-compress.jar" Zipup 258 java -cp .:"/usr/share/java/apache-commons-compress.jar" Zipup jrn.txt jrn.zip 259 ls -ltr 260 javac -cp .:"/usr/share/java/apache-commons-compress.jar" Zipextract.java 261 ls -ltr 262 rm *.txt 263 java -cp .:"/usr/share/java/apache-commons-compress.jar" Zipextract jrn.zip . worked for me. Does anyone want me to write the routine for 7z testing?
CC: (none) => brtians1
Whiteboard: (none) => MGA8-64-OK
Len's comment in the bug Herman cited thanked Brian for his help, so it would appear that Brian has the most experience with these packages. Therefore, I'm going with his OK. Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0009.html
Status: NEW => RESOLVEDResolution: (none) => FIXED